CVE-2024-10573

Publication date 30 October 2024

Last updated 27 November 2024


Ubuntu priority

Cvss 3 Severity Score

6.7 · Medium

Score breakdown

An out-of-bounds write flaw was found in mpg123 when handling crafted streams. When decoding PCM, the libmpg123 may write past the end of a heap-located buffer. Consequently, heap corruption may happen, and arbitrary code execution is not discarded. The complexity required to exploit this flaw is considered high as the payload must be validated by the MPEG decoder and the PCM synth before execution. Additionally, to successfully execute the attack, the user must scan through the stream, making web live stream content (such as web radios) a very unlikely attack vector.

Read the notes from the security team

Status

Package Ubuntu Release Status
mpg123 24.10 oracular
Fixed 1.32.7-1ubuntu0.1
24.04 LTS noble
Fixed 1.32.5-1ubuntu1.1
22.04 LTS jammy
Fixed 1.29.3-1ubuntu0.1
20.04 LTS focal
Fixed 1.25.13-1ubuntu0.2
18.04 LTS bionic
Needs evaluation
16.04 LTS xenial
Needs evaluation
14.04 LTS trusty Ignored end of ESM support, was needs-triage

Notes


alexmurray

Fixed in 1.32.8


mdeslaur

USN-7092-1 was released with focal missing r4991

Severity score breakdown

Parameter Value
Base score 6.7 · Medium
Attack vector Local
Attack complexity High
Privileges required Low
User interaction Required
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H